White House Sets Framework for Cybersecurity; Builds in Privacy

A cybersecurity report issued today by the national security and homeland security advisors to President Obama lays a useful foundation for cybersecurity policy in the coming years. The White House report, the product of a 60-day review of cybersecurity policy government-wide, is more than a generalized statement of principles and goals, but lacks the specifics of a full blueprint. The report mentions at least a dozen times the need to account for privacy and civil liberties, reflecting a commitment to build in protections when cybersecurity measures could adversely effect either. This balanced approach presages potentially pitched battles going forward about how best to enhance cybersecurity while protecting civil liberties.

A cybersecurity report issued today by the national security and homeland security advisors to President Obama lays a useful foundation for cybersecurity policy in the coming years. The White House report, the product of a 60-day review of cybersecurity policy government-wide, is more than a generalized statement of principles and goals, but lacks the specifics of a full blueprint. The report mentions at least a dozen times the need to account for privacy and civil liberties, reflecting a commitment to build in protections when cybersecurity measures could adversely effect either. This balanced approach presages potentially pitched battles going forward about how best to enhance cybersecurity while protecting civil liberties.

The report lays a foundation for organizing for privacy as well as for cybersecurity. It endorses many proposals CDT has made to protect privacy. It calls for appointing a privacy and civil liberties officer in a newly created cybersecurity directorate, for appointing a privacy and civil liberties officer to the National Security Council, and for rapidly reconstituting the Privacy and Civil Liberties Oversight Board — an independent agency in the Executive Branch, which, the report concludes, should be given express statutory authority for cybersecurity.

While the White House report opens with the troubling assertion that a loose and lightly regulated critical infrastructure based on the Internet poses a great threat to the nation, to private enterprise, and to individual rights, its substantive recommendations, by contrast, seem to recognize that a light approach to regulation has been essential to the Internet’s innovation, freedom, and openness. The report gives officials enough flexibility to implement the measures it recommends without heavy-handed regulation of the Internet or of the technology industry, but there is a myriad of policy decisions yet to come that bear careful watching.

What is omitted from the report is as significant as what is included in it. For example, while the report recommends a stronger cybersecurity role for the White House, it does not propose that the President be given the power to limit or shut down Internet traffic to a critical infrastructure information system.

CDT letter to Melissa Hathaway, Head of 60-Day Review Team (March 19, 2009)

2) White House, Not NSA, Will Provide Cybersecurity Leadership

The report would give the cybersecurity lead to a White House official who would manage a new cybersecurity directorate at the National Security Council, but who would report both to the NSC and the National Economic Council. This dual reporting system seems intended to ensure that the official will be equally sensitive to the impact of cybersecurity measures on both security and economic interests, including innovation, competition, and the need to protect proprietary information. Among other things, this White House official will coordinate cybersecurity policy, prepare a national strategy to secure critical infrastructure, develop key management priorities and performance metrics, and convene an interagency mechanism to conduct interagency legal analyses, formulate coherent policy guidance and clarify roles and responsibilities of the federal agencies involved in the cybersecurity effort. The NSCcybersecurity directorate would not conduct cybersecurity operations.

Assigning this strong coordinating function to a new White House cybersecurity officer largely puts to rest concerns that the National Security Agency would assume a lead role in developing and executing cybersecurity policy for civilian infrastructure information systems. CDT had recommended that the NSA not be given the lead cybersecurity role because its secrecy would compromise its ability to generate the trust in the private sector that is essential to a successful cybersecurity program. In addition, NSA’s role of exploiting network vulnerabilities to spy on U.S. adversaries would be difficult to reconcile with lead responsibility for closing down network vulnerabilities to enhance security when the same technologies are used both in U.S. and foreign networks.

The White House report seems to reject proposals to transfer to the NSA the functions of the DHS National Cyber Security Center. The NCSC is responsible for protecting the federal government’s communications networks. However, the report calls for a review of the â€œoperational conceptâ€? of the NCSC to determine whether its current responsibilities, resources and governance are adequate to provide the shared situational awareness that is necessary to support cyber incident response. This review may lead to calls to diminish the role of the NCSC, or even eliminate it altogether – developments that could result in further upheaval of cybersecurity programs.

Maintaining cybersecurity operations at the NCSC, instead of at the White House or the NSA, would tend to promote transparency in those efforts, congressional oversight, and more oversight by the DHS Privacy Office – probably the strongest such office in the federal government. Transparency in the cybersecurity program builds trust that is needed to establish partnerships with private sector critical infrastructure providers.

While the need for more transparency is not addressed in the report, the report itself is the product of a very open, inclusive and public process. However, going forward, the report’s frequent calls for engaging the privacy and civil liberties community on important issues will lead to productive engagement only to the extent that key information about the program is made publicly available.

The White House report says that information sharing is a key to preventing, detecting, and responding to cyber attacks. In order to promote cybersecurity, the federal government must know when private sector critical infrastructure is under attack, and usually this information must come from a private sector entity. The report rightly calls for the federal government to work with the private sector to develop standards for incident reporting to the federal government so that only meaningful attacks are reported. Because personally identifiable information is sometimes implicated in incident reporting, the report specifically points out that incident reporting rules must protect civil liberties. Indeed, the White House report puts privacy rights on an equal footing with other critically important interests to protect in the information sharing context: prevention of unfair competitive advantage and protection of intelligence sources and methods.

The White House report favors incentives for information sharing over heavy-handed government regulation, and characterizes regulation as a â€œlast resortâ€? that would be pursued only in conjunction with measures to protect civil liberties and privacy and maintain fair and open markets. The report also points out that governmental sharing of information with the private sector must address issues relating to proprietary data and personally identifiable information. Absent from the report is a recommendation that a governmental entity be empowered to override all laws in order to access threat, incident and vulnerability information that is maintained in the private sector. This troubling concept, embodied in Section 14 of the Rockefeller/Snowe Cybersecurity Act, finds no support in the White House Report.

The White House report also recommends incident reporting rules for federal agencies and for state and local governments, with a goal of developing overall situational awareness and the ability to coordinate responses. While the report observes that some state data breach laws already require reporting certain information about security breaches, it missed an opportunity to promote improvements in those laws by recommending that data breach reports called for in state laws be provided not only to state authorities, but to an appropriate federal agency as well.

4) Building Privacy Into Identity and Authentication Measures

Identity and authentication are important elements of cybersecurity, but they can either promote privacy or threaten it. For example, a transaction or interaction may be “private” largely because it cannot be traced to an identified individual. The right to speak anonymously enjoys constitutional protection. On the other hand, authenticating an individual’s identity can also enhance privacy. For example, collecting personal information about a party to a transaction in order to determine whether the transaction involves fraudulent use of identity may advance a privacy interest – the prevention of identity fraud.

The White House report takes an aggressive, but nuanced, approach to authentication and identity management. It suggests the need for identity management systems not only for people, but also for hardware and software. It calls for the federal government to build a security-based identity management vision and strategy for the nation, in collaboration with industry and civil liberties groups.

Importantly, it also recognizes the principles of proportionality and diversity of identity management solutions, which are among the most important of the “Privacy Principles for Identity in the Digital Age” that CDT outlined last year. Under the proportionality principle, if a transaction has high significance and sensitivity, it may be more appropriate to require authentication and the collection of more sensitive information to authenticate. Under the diversity principle, multiple identification solutions for different identity purposes are preferred because use of a single identifier or credential creates a single target for privacy and security abuses. A single identifier also allows for multiple transactions and interactions to be tied to that identifier, permitting potentially invasive data surveillance. The White House report recognizes the diversity and proportionality principles by calling for an array of interoperable identity management systems that would be used only for what it calls “high value” activities, like certain smart grid functions, and then only on an opt-in basis. Those calling for broader authentication mandates across the Internet will not find support in the report.

How the government builds privacy into the security-based identity management vision and strategy the White House report calls for will be critically important as the cybersecurity program unfolds.

5) Congress to Weigh In on Cybersecurity

Congress will be the next stop for cybersecurity. Already, a number of hearings have been conducted and a number of cybersecurity bills have been introduced. Others will follow. Issues to look for:

Incentives versus mandates: The White House report comes down in favor of cybersecurity incentives for the private sector, but reserves regulation as a last resort.

DHS role in cybersecurity: Will the coordinating role of the White House cybersecurity official marginalize the statutory role of DHS in cybersecurity planning and in partnering with the private sector?

Identity and authentication: Will legislation address identity management and will it account for privacy protective principles?

Consolidation of authorities: The report recommends legislation to consolidate national security, law enforcement and military authorities over information systems to facilitate response to cyber attacks. Legal distinctions among those systems – including those designed to protect civil liberties and information pertaining to U.S. citizens – should not be swept away in this process.

Speedy appointments: The quick nomination and confirmation of privacy officials would reflect a strong commitment to building in privacy from the beginning, as the cybersecurity program is developing, instead of as an afterthought.

CDT cybersecurity testimony before the House Energy and Commerce Committee, Subcommittee on Communications, Technology and the Internet (May 1, 2009)